A version of this post previously appeared in Telum Media
The GDPR sets a new global standard for the management of personal data, with far-reaching impact beyond the borders of the European Union (EU) and the citizens it has been designed to protect. Compliance is just one part of the process. Being prepared for the heightened risks of non-compliance and how to respond if your organization is in breach will be critical to maintaining long-term trust with stakeholders.
The new regulation mandates that all organizations collecting the personal information of EU citizens be held more responsible for their customer and employee data and gives control back to individuals. This is particularly relevant for Asian businesses in industries such as aviation, consumer products, hotel and leisure.
Perhaps the most significant impact of GDPR on corporate reputation is the requirement that if an organization falls foul of the regulation, including data breaches like cyber hacks, then notification is mandatory.
The key notification requirements of GDPR include:
- Data breaches must be reported to the Information Commissioner Officer (ICO) within 72 hours
- The following information must be disclosed:
- A description of the nature of the personal data breach;
- The categories and approximate number of personal data records concerned;
- A description of the likely consequences of the personal data breach;
- A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including measures taken to mitigate any possible adverse effects.
Communicating the notification process—the last two points—will be key to protecting reputation. The regulation states that if a breach is likely to result in a high risk to the rights of individuals, the organization must inform them directly and without delay. When notifying individuals, you need to be able to describe in clear and plain language the nature of the personal data breach.
A detailed notification that demonstrates the organization is on top of its data management process will convey that the business is aware of the potential impact on individuals and taking active steps to address it.
Following notification, organizations will need to ensure adequate customer service support across relevant channels (phone, social, website, etc.). Breaches generate large volumes of inbound enquiries and organizations need to have the resources in place to cope with this. Failure to do so could result in the perception that the business is not in control and risks more reputational damage than the actual breach itself. Too often, it is the mishandling and miscommunication of an issue that precipitates a full-blown crisis.
Media should be regarded as one of the many stakeholders to be considered for the communications plan. Employees must be kept updated, as there is a high chance their data will be impacted as part of the breach.
With the GDPR reaching beyond Europe, what is the impact of GDPR on Asia Pacific (APAC) businesses?
- Given the immense extraterritorial reach of GDPR, APAC businesses must update their procedures for handling data of individuals in the EU to avoid hefty penalties of up to 4 percent of global annual turnover or €20 million, whichever is greater.
- GDPR applies to any organization that actively markets to consumers who are physically in the EU, or who process any data at an EU-based site.
- According to EY’s Global Forensic Data Analytics Survey published earlier this year, only 12 percent of Asia Pacific businesses impacted by GDPR have a plan to address it.
As reputation advisers, communicators in Asia need at a minimum to have baseline awareness of the potential impact of GDPR on their brand. Companies that manage it actively will have greater control of their data than ever before, with the potential for smarter marketing campaigns and an enhanced customer experience. Forward-thinking organizations in Asia will prepare for the risk of fallout and the best will see this as a golden opportunity to build trust with customers by embedding the highest international standards of data privacy.
Leo Wood is director, deputy head of Reputation, Hong Kong.